So I have been intrigued by the news coverage or lack of it from a bug reported in Microsoft’s IIS webserver last week. What makes this slightly unusual is that Microsoft released a patch on Tuesday, and by Thursday some bight spark had worked out what exactly the patch fixed and worked out that if you gave a very interesting poke at an unpatched IIS webserver then it would blue screen.
The interesting magic to test if a server is vulnerable being:
curl -v [ipaddress]/static.png -H "Host: test" -H "Range: bytes=0-18446744073709551615"
Simply change the 0- to 20- and the server instantly hits the blue screen of death. Manual intervention is required some poor operator has to reboot the computer for it to be usable again.
So how much press did this bug get, practically zero. It was reported in the Register, but from the main stream news outlets nothing. Which is interesting, as the recent must patch now bugs for Linux, heartbleed for example got quite a bit of press. Admittedly that bug was in the openSSL package, that is used for encryption, but it also didn’t have the power to crash the server. Maybe it was the fact it had a way cooler name that helped it get attention.
What is very interesting is that both bugs were caused by the same very simple mistake. Accepting input and not checking that input is valid before you act on it. A very clear explanation of the heartbleed issue in cartoon form is given by XKCD. In one it can be used to reveal information, and in the other crash the server.
Hang on a minute, an instruction sent to an open port on a server had the opportunity to crash the whole server! Not just the webserver, or the currently active thread that is returning a single web page, but the whole server. Really.
This is because of an arms race between IIS and Apache that happened a few years back, both were trying to demonstrate that they were the fastest webserver at a range of tasks, one of which was returning HTTPS webpages.
In order to try and gain an advantage in that race, Microsoft broke a security model. They moved the HTTPS handling of the IIS webserver into the kernel, the main core part of the operating system. This made the processing of HTTPS pages faster, but it means that a simple bug will crash the whole server.
Which is why people don’t host critical systems on Microsoft webservers, they know that bugs like this one will be out there, the code base isn’t being independently checked, and that security standards are ignored to try and satisfy performance problems.
